CVE-2010-4527: Linux kernel OSS Sound Card Driver Buffer Overflow

This issue was reported by Dan Rosenberg and it affects systems using the OSS sound card driver for Linux. The vulnerable code resides in load_mixer_volumes() routine which is part of the sound/oss/soundcard.c file. Specifically, here is the susceptible code…

The initial ‘for’ loop iterates through the ‘mixer_vols[]’ array and uses strcmp(3) to find the requested name. However, there is no check that the provided name is 32 or less Bytes long. This could result in a read out of bounds condition since the name member is statically allocated as we can see at include/linux/soundcard.h header file where that structure is defined.

Of course, the subsequent call to strcpy(3) lacks of the exact same length checks leading to a possible kernel stack buffer overflow if a user provides a name larger than 32 Bytes long. The fix for the first issue was to use the strncmp(3) routine that performs the same task having a maximum acceptable size.